---
- hosts: nas
  gather_facts: true
  become: true

  roles:
    - docker
    - cloud-backups
    - statusservices
    - linux-system-roles.metrics
    - linux-system-roles.firewall

  vars_files:
    - "{{ inventory_dir }}/vars/vault.yaml"

  vars:
    status_services_extra:
      - grafana-server
      - smb

    backups: containers
    backups_ignore:
      - /mergerfs
      - /run/udev

    container_user: "{{ vaulted_media_user }}"
    container_uid: "{{ vaulted_media_uid }}"
    container_group: "{{ vaulted_media_group }}"
    container_gid: "{{ vaulted_media_gid }}"

    global_env_vars:
      - PUID={{ container_uid }}
      - PGID={{ container_gid }}

    container_networks:
      - name: downloaders
        driver: bridge
        subnet: 172.21.10.0/24
        ip_range: 172.21.10.0/24
        gateway: 172.21.10.1

    containers:
      - name: sickchill
        active: true
        image: linuxserver/sickchill
        ports:
          - 8081:8081
        volumes:
          - /opt/sickchill:/config
          - /mergerfs:/mergerfs
        include_global_env_vars: true
        restart: unless-stopped
        networks:
          - downloaders

      - name: transmission
        active: true
        image: linuxserver/transmission
        ports:
          - 9091:9091
        volumes:
          - /opt/transmission:/config
          - /mergerfs:/mergerfs
        include_global_env_vars: true
        environment:
          - USER={{ vaulted_nas_transmission_username }}
          - PASS={{ vaulted_nas_transmission_password }}
        restart: unless-stopped
        networks:
          - downloaders

      - name: qbittorrent
        active: true
        image: linuxserver/qbittorrent
        ports:
          - 8080:8080
        volumes:
          - /opt/qbittorrent:/config
          - /mergerfs:/mergerfs
        include_global_env_vars: true
        environment:
          - WEBUI_PORT=8080
        restart: unless-stopped
        networks:
          - downloaders

      - name: scrutiny
        active: true
        image: ghcr.io/analogj/scrutiny:master-omnibus
        ports:
          - 8088:8080
          - 8086:8086
        volumes:
          - /opt/scrutiny/config:/opt/scrutiny/config
          - /opt/scrutiny/influxdb2:/opt/scrutiny/influxdb
          - /run/udev:/run/udev:ro
        cap_add:
          - SYS_RAWIO
          - SYS_ADMIN # https://github.com/AnalogJ/scrutiny/issues/26#issuecomment-696817130
        devices:
          - /dev/sda
          - /dev/sdb
          - /dev/sdc
          - /dev/sdd
          - /dev/sde
          - /dev/sdf
          - /dev/sdg
          - /dev/sdi

    metrics_monitored_hosts: "{{ groups['nas'] }}" #TODO increase to others
    metrics_retention_days: 14
    metrics_graph_service: no
    metrics_query_service: no

    firewall:
      - service: grafana
        state: enabled

      - port: 8080/tcp
        state: enabled

      - port: 8081/tcp
        state: enabled

      - port: 8086/tcp
        state: enabled

      - port: 8088/tcp
        state: enabled

      - port: 9091/tcp
        state: enabled